Policy
Cloud Policy Details
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT
This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory. When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant. Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details. https://go.microsoft.com/fwlink/?linkid=2148762 Before enabling firewall protection, ensure that an App Control for Business policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding App Control for Business policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information. For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | Cloud ID (optional): ID PayloadCloudId | text | Path SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Value name cloudid Type REG_SZ | None | |
| Computer | Azure AD Directory ID: ID PayloadTenantId | text | Path SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Value name tenantid Type REG_SZ | None | |
| Computer | Policy GUID: ID PayloadPolicyId | text | Path SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Value name policyid Type REG_SZ | None | |
| Computer | Hostnames (optional): ID PayloadHostnamesId | list | Path SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Value name hostnames Type REG_MULTI_SZ | None | |
| Computer | Subdomain Supported Hostnames (optional): ID PayloadSubdomainSupportedHostnamesId | list | Path SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Value name subdomainSupportedHostnames Type REG_MULTI_SZ | None | |
| Computer | IP Ranges (optional): ID PayloadIpRangesId | list | Path SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Value name ipRanges Type REG_MULTI_SZ | None | |
| Computer | Enable firewall protection of Microsoft endpoints ID EnforceFirewall | boolean | Path SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Value name enforceFirewall Type REG_DWORD | Options: true (1), false () True: Set value = 1 · False: None |